diff --git a/doc/json/actor.json b/doc/json/actor.json
index 510915ff..d1eb1a72 100644
--- a/doc/json/actor.json
+++ b/doc/json/actor.json
@@ -26,7 +26,7 @@
"motivation" : "Ego",
"planning_and_operational_support" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"sophistication" : "Aspirant",
"source" : "string",
diff --git a/doc/json/asset.json b/doc/json/asset.json
index ea718b68..2dad83a4 100644
--- a/doc/json/asset.json
+++ b/doc/json/asset.json
@@ -12,7 +12,7 @@
"id" : "string",
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
diff --git a/doc/json/asset_mapping.json b/doc/json/asset_mapping.json
index e24768b0..fa640fc1 100644
--- a/doc/json/asset_mapping.json
+++ b/doc/json/asset_mapping.json
@@ -17,7 +17,7 @@
"value" : "1.2.3.4"
},
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"specificity" : "Low",
diff --git a/doc/json/asset_properties.json b/doc/json/asset_properties.json
index b7181e57..1d2df730 100644
--- a/doc/json/asset_properties.json
+++ b/doc/json/asset_properties.json
@@ -15,7 +15,7 @@
"value" : "string"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
diff --git a/doc/json/attack_pattern.json b/doc/json/attack_pattern.json
index 365e99ae..7d929eda 100644
--- a/doc/json/attack_pattern.json
+++ b/doc/json/attack_pattern.json
@@ -16,7 +16,7 @@
} ],
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
diff --git a/doc/json/bundle.json b/doc/json/bundle.json
index 367bfdd6..84adcf69 100644
--- a/doc/json/bundle.json
+++ b/doc/json/bundle.json
@@ -28,7 +28,7 @@
"motivation" : "Ego",
"planning_and_operational_support" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"sophistication" : "Aspirant",
"source" : "string",
@@ -62,7 +62,7 @@
"value" : "1.2.3.4"
},
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"specificity" : "Low",
@@ -92,7 +92,7 @@
"value" : "string"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
@@ -119,7 +119,7 @@
"id" : "string",
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -151,7 +151,7 @@
} ],
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -185,7 +185,7 @@
"language" : "string",
"names" : [ "string" ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -259,7 +259,7 @@
"source" : "string"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -297,7 +297,7 @@
"revision" : 10,
"row_count" : 10,
"rows" : [ [ "anything" ] ],
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -335,7 +335,7 @@
"language" : "string",
"reason" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
@@ -366,7 +366,7 @@
},
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
@@ -383,6 +383,7 @@
"categories" : [ "Attrition" ],
"confidence" : "High",
"description" : "string",
+ "detection_sources" : [ "string" ],
"discovery_method" : "Agent Disclosure",
"external_ids" : [ "string" ],
"external_references" : [ {
@@ -408,7 +409,7 @@
},
"promotion_method" : "Automated",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"scores" : {
"asset" : 10.0
},
@@ -451,7 +452,7 @@
"negate" : true,
"producer" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"severity" : "Critical",
"short_description" : "string",
"source" : "string",
@@ -500,7 +501,7 @@
"reason" : "string",
"reason_uri" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"severity" : "Critical",
"source" : "string",
"source_uri" : "string",
@@ -533,7 +534,7 @@
"labels" : [ "adware" ],
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -563,7 +564,7 @@
"entity_type" : "string"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
@@ -585,7 +586,7 @@
"language" : "string",
"relationship_type" : "attributed-to",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_ref" : "string",
@@ -597,7 +598,7 @@
"type" : "relationship"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"sighting_refs" : [ "string" ],
"sightings" : [ {
@@ -865,7 +866,7 @@
} ],
"resolution" : "detected",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"sensor" : "endpoint",
"sensor_coordinates" : {
"observables" : [ {
@@ -912,7 +913,7 @@
"id" : "string",
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -958,7 +959,7 @@
"labels" : [ "credential-exploitation" ],
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -1099,7 +1100,7 @@
"last_modified_date" : "2016-01-01T01:01:01.000Z",
"published_date" : "2016-01-01T01:01:01.000Z",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -1180,7 +1181,7 @@
"strategy" : "Attack Surface Reduction"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
diff --git a/doc/json/campaign.json b/doc/json/campaign.json
index 7a55bf44..3726c898 100644
--- a/doc/json/campaign.json
+++ b/doc/json/campaign.json
@@ -19,7 +19,7 @@
"language" : "string",
"names" : [ "string" ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
diff --git a/doc/json/casebook.json b/doc/json/casebook.json
index 633424dc..ddee5b39 100644
--- a/doc/json/casebook.json
+++ b/doc/json/casebook.json
@@ -29,7 +29,7 @@
"motivation" : "Ego",
"planning_and_operational_support" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"sophistication" : "Aspirant",
"source" : "string",
@@ -63,7 +63,7 @@
"value" : "1.2.3.4"
},
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"specificity" : "Low",
@@ -93,7 +93,7 @@
"value" : "string"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
@@ -120,7 +120,7 @@
"id" : "string",
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -152,7 +152,7 @@
} ],
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -186,7 +186,7 @@
"language" : "string",
"names" : [ "string" ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -260,7 +260,7 @@
"source" : "string"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -298,7 +298,7 @@
"revision" : 10,
"row_count" : 10,
"rows" : [ [ "anything" ] ],
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -336,7 +336,7 @@
"language" : "string",
"reason" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
@@ -367,7 +367,7 @@
},
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
@@ -384,6 +384,7 @@
"categories" : [ "Attrition" ],
"confidence" : "High",
"description" : "string",
+ "detection_sources" : [ "string" ],
"discovery_method" : "Agent Disclosure",
"external_ids" : [ "string" ],
"external_references" : [ {
@@ -409,7 +410,7 @@
},
"promotion_method" : "Automated",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"scores" : {
"asset" : 10.0
},
@@ -452,7 +453,7 @@
"negate" : true,
"producer" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"severity" : "Critical",
"short_description" : "string",
"source" : "string",
@@ -501,7 +502,7 @@
"reason" : "string",
"reason_uri" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"severity" : "Critical",
"source" : "string",
"source_uri" : "string",
@@ -534,7 +535,7 @@
"labels" : [ "adware" ],
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -564,7 +565,7 @@
"entity_type" : "string"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
@@ -586,7 +587,7 @@
"language" : "string",
"relationship_type" : "attributed-to",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_ref" : "string",
@@ -598,7 +599,7 @@
"type" : "relationship"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"sighting_refs" : [ "string" ],
"sightings" : [ {
@@ -866,7 +867,7 @@
} ],
"resolution" : "detected",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"sensor" : "endpoint",
"sensor_coordinates" : {
"observables" : [ {
@@ -913,7 +914,7 @@
"id" : "string",
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -959,7 +960,7 @@
"labels" : [ "credential-exploitation" ],
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -1100,7 +1101,7 @@
"last_modified_date" : "2016-01-01T01:01:01.000Z",
"published_date" : "2016-01-01T01:01:01.000Z",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -1181,7 +1182,7 @@
"strategy" : "Attack Surface Reduction"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
@@ -1212,7 +1213,7 @@
"value" : "1.2.3.4"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
diff --git a/doc/json/coa.json b/doc/json/coa.json
index 2459fca6..d7df19a0 100644
--- a/doc/json/coa.json
+++ b/doc/json/coa.json
@@ -57,7 +57,7 @@
"source" : "string"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
diff --git a/doc/json/feedback.json b/doc/json/feedback.json
index a314e343..8e17ab7f 100644
--- a/doc/json/feedback.json
+++ b/doc/json/feedback.json
@@ -13,7 +13,7 @@
"language" : "string",
"reason" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
diff --git a/doc/json/incident.json b/doc/json/incident.json
index 639a323a..a836dc9b 100644
--- a/doc/json/incident.json
+++ b/doc/json/incident.json
@@ -3,6 +3,7 @@
"categories" : [ "Attrition" ],
"confidence" : "High",
"description" : "string",
+ "detection_sources" : [ "string" ],
"discovery_method" : "Agent Disclosure",
"external_ids" : [ "string" ],
"external_references" : [ {
@@ -28,7 +29,7 @@
},
"promotion_method" : "Automated",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"scores" : {
"asset" : 10.0
},
diff --git a/doc/json/indicator.json b/doc/json/indicator.json
index 5aca3081..ad01b235 100644
--- a/doc/json/indicator.json
+++ b/doc/json/indicator.json
@@ -24,7 +24,7 @@
"negate" : true,
"producer" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"severity" : "Critical",
"short_description" : "string",
"source" : "string",
diff --git a/doc/json/judgement.json b/doc/json/judgement.json
index 922fbabc..7478eaa6 100644
--- a/doc/json/judgement.json
+++ b/doc/json/judgement.json
@@ -20,7 +20,7 @@
"reason" : "string",
"reason_uri" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"severity" : "Critical",
"source" : "string",
"source_uri" : "string",
diff --git a/doc/json/malware.json b/doc/json/malware.json
index 3f25549a..3fff2327 100644
--- a/doc/json/malware.json
+++ b/doc/json/malware.json
@@ -17,7 +17,7 @@
"labels" : [ "adware" ],
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
diff --git a/doc/json/note.json b/doc/json/note.json
index 852465e7..4dff5692 100644
--- a/doc/json/note.json
+++ b/doc/json/note.json
@@ -17,7 +17,7 @@
"entity_type" : "string"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"source" : "string",
"source_uri" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
diff --git a/doc/json/relationship.json b/doc/json/relationship.json
index 872ea7f8..6dbefc70 100644
--- a/doc/json/relationship.json
+++ b/doc/json/relationship.json
@@ -12,7 +12,7 @@
"language" : "string",
"relationship_type" : "attributed-to",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_ref" : "string",
diff --git a/doc/json/sighting.json b/doc/json/sighting.json
index 9f5eddf0..8f4b20d9 100644
--- a/doc/json/sighting.json
+++ b/doc/json/sighting.json
@@ -263,7 +263,7 @@
} ],
"resolution" : "detected",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"sensor" : "endpoint",
"sensor_coordinates" : {
"observables" : [ {
diff --git a/doc/json/target_record.json b/doc/json/target_record.json
index c587e601..56a89257 100644
--- a/doc/json/target_record.json
+++ b/doc/json/target_record.json
@@ -11,7 +11,7 @@
"id" : "string",
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
diff --git a/doc/json/tool.json b/doc/json/tool.json
index 7d2aeb88..e49d7caa 100644
--- a/doc/json/tool.json
+++ b/doc/json/tool.json
@@ -16,7 +16,7 @@
"labels" : [ "credential-exploitation" ],
"language" : "string",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
diff --git a/doc/json/vulnerability.json b/doc/json/vulnerability.json
index 53a8bfa6..8381c9cd 100644
--- a/doc/json/vulnerability.json
+++ b/doc/json/vulnerability.json
@@ -108,7 +108,7 @@
"last_modified_date" : "2016-01-01T01:01:01.000Z",
"published_date" : "2016-01-01T01:01:01.000Z",
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
diff --git a/doc/json/weakness.json b/doc/json/weakness.json
index 123f7199..d4e6ef41 100644
--- a/doc/json/weakness.json
+++ b/doc/json/weakness.json
@@ -68,7 +68,7 @@
"strategy" : "Attack Surface Reduction"
} ],
"revision" : 10,
- "schema_version" : "1.3.20",
+ "schema_version" : "1.3.21",
"short_description" : "string",
"source" : "string",
"source_uri" : "string",
diff --git a/doc/structures/bundle.md b/doc/structures/bundle.md
index e85afae9..6e6370ce 100644
--- a/doc/structures/bundle.md
+++ b/doc/structures/bundle.md
@@ -4443,6 +4443,7 @@ A URL reference to an external resource.
|[assignees](#propertyassignees-shortstringstringlist)|ShortStringString List|A set of owners assigned to this incident.||
|[categories](#propertycategories-incidentcategorystringlist)|IncidentCategoryString List|A set of categories for this incident.||
|[description](#propertydescription-markdownstring)|MarkdownString|A description of object, which may be detailed.||
+|[detection_sources](#propertydetection_sources-medstringstringlist)|MedStringString List|A set of sources that contributed threat detections to the incident.||
|[discovery_method](#propertydiscovery_method-discoverymethodstring)|DiscoveryMethodString|Identifies how the incident was discovered.||
|[external_ids](#propertyexternal_ids-stringlist)|String List|It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.||
|[external_references](#propertyexternal_references-externalreferenceobjectlist)|*ExternalReference* Object List|Specifies a list of external references which refers to non-CTIM information. Similar to `external_ids` field with major differences: - `external_ids` field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The `external_ids` field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - `external_references` field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The `external_references` field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.||
@@ -4539,6 +4540,17 @@ A description of object, which may be detailed.
* *Markdown* Markdown string with at most 5000 characters.
+
+## Property detection_sources ∷ MedStringString List
+
+A set of sources that contributed threat detections to the incident.
+
+* This entry is optional
+* This entry's type is sequential (allows zero or more values)
+
+
+ * *MedString* String with at most 2048 characters.
+
## Property discovery_method ∷ DiscoveryMethodString
diff --git a/doc/structures/casebook.md b/doc/structures/casebook.md
index ee295ccf..172c03a4 100644
--- a/doc/structures/casebook.md
+++ b/doc/structures/casebook.md
@@ -11207,6 +11207,7 @@ A URL reference to an external resource.
|[assignees](#propertyassignees-shortstringstringlist)|ShortStringString List|A set of owners assigned to this incident.||
|[categories](#propertycategories-incidentcategorystringlist)|IncidentCategoryString List|A set of categories for this incident.||
|[description](#propertydescription-markdownstring)|MarkdownString|A description of object, which may be detailed.||
+|[detection_sources](#propertydetection_sources-medstringstringlist)|MedStringString List|A set of sources that contributed threat detections to the incident.||
|[discovery_method](#propertydiscovery_method-discoverymethodstring)|DiscoveryMethodString|Identifies how the incident was discovered.||
|[external_ids](#propertyexternal_ids-stringlist)|String List|It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.||
|[external_references](#propertyexternal_references-externalreferenceobjectlist)|*ExternalReference* Object List|Specifies a list of external references which refers to non-CTIM information. Similar to `external_ids` field with major differences: - `external_ids` field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The `external_ids` field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - `external_references` field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The `external_references` field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.||
@@ -11303,6 +11304,17 @@ A description of object, which may be detailed.
* *Markdown* Markdown string with at most 5000 characters.
+
+## Property detection_sources ∷ MedStringString List
+
+A set of sources that contributed threat detections to the incident.
+
+* This entry is optional
+* This entry's type is sequential (allows zero or more values)
+
+
+ * *MedString* String with at most 2048 characters.
+
## Property discovery_method ∷ DiscoveryMethodString
diff --git a/doc/structures/incident.md b/doc/structures/incident.md
index 0d1dde3a..1901efb3 100644
--- a/doc/structures/incident.md
+++ b/doc/structures/incident.md
@@ -18,6 +18,7 @@
|[assignees](#propertyassignees-shortstringstringlist)|ShortStringString List|A set of owners assigned to this incident.||
|[categories](#propertycategories-incidentcategorystringlist)|IncidentCategoryString List|A set of categories for this incident.||
|[description](#propertydescription-markdownstring)|MarkdownString|A description of object, which may be detailed.||
+|[detection_sources](#propertydetection_sources-medstringstringlist)|MedStringString List|A set of sources that contributed threat detections to the incident.||
|[discovery_method](#propertydiscovery_method-discoverymethodstring)|DiscoveryMethodString|Identifies how the incident was discovered.||
|[external_ids](#propertyexternal_ids-stringlist)|String List|It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.||
|[external_references](#propertyexternal_references-externalreferenceobjectlist)|*ExternalReference* Object List|Specifies a list of external references which refers to non-CTIM information. Similar to `external_ids` field with major differences: - `external_ids` field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The `external_ids` field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - `external_references` field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The `external_references` field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.||
@@ -114,6 +115,17 @@ A description of object, which may be detailed.
* *Markdown* Markdown string with at most 5000 characters.
+
+## Property detection_sources ∷ MedStringString List
+
+A set of sources that contributed threat detections to the incident.
+
+* This entry is optional
+* This entry's type is sequential (allows zero or more values)
+
+
+ * *MedString* String with at most 2048 characters.
+
## Property discovery_method ∷ DiscoveryMethodString
diff --git a/src/ctim/examples/incidents.cljc b/src/ctim/examples/incidents.cljc
index 87b8d6c4..aaf591ec 100644
--- a/src/ctim/examples/incidents.cljc
+++ b/src/ctim/examples/incidents.cljc
@@ -27,6 +27,7 @@
:techniques ["T1095", "T1001"]
:source "source"
:source_uri "http://example.com"
+ :detection_sources ["Cisco XDR Analytics", "Microsoft Defender for Endpoint"]
:confidence "High"
:categories ["Denial of Service"
"Improper Usage"]
diff --git a/src/ctim/schemas/incident.cljc b/src/ctim/schemas/incident.cljc
index f816fe9d..b4b3e978 100644
--- a/src/ctim/schemas/incident.cljc
+++ b/src/ctim/schemas/incident.cljc
@@ -133,6 +133,8 @@
:description "Specifies the suspected intended effect of this incident")
(f/entry :assignees [c/ShortString]
:description "A set of owners assigned to this incident.")
+ (f/entry :detection_sources [c/MedString]
+ :description "A set of sources that contributed threat detections to the incident.")
(f/entry :promotion_method v/PromotionMethod
:description (str "Describes method for promoting an Incident, whether manually or automatically. "
"An Incident may be created manually by a SOAR analyst or SOC operator, or "